US Thwarts Volt Typhoon Cyber Espionage Campaign Through Router Disruption

Written by

Hundreds of routers have been disabled in the US in an effort to take down a cyber espionage campaign conducted by Volt Typhoon, a hacking group associated with the Chinese government.

The US Justice Department (DoJ) announced on January 31, 2024, that the FBI led a law enforcement operation in December 2023 to disrupt a network of hundreds of connected devices.

These devices, commonly known as small office/home office (SOHO) routers, had been hijacked by the Volt Typhoon advanced persistent threat (APT) group, who then infected them with the KV Botnet malware.

Volt Typhoon Used Obsolete Cisco and NetGear Routers

The DoJ revealed that most routers that were part of the Volt Typhoon hacking network were Cisco and NetGear routers.

These routers were vulnerable because they had reached end-of-life status, meaning they were no longer supported through their manufacturer’s security patches or other software updates.

Small office/home office (SOHO) router. Credit: Shutterstock/tomeqs
Small office/home office (SOHO) router. Credit: Shutterstock/tomeqs

“The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DoJ added.

Speaking to Infosecurity, Ian McGowan, managing director of Barrier Networks, said Volt Typhoon’s use of obsolete everyday devices for nation-state espionage purposes should be a wake-up call for manufacturers.

“The real takeaway from this announcement for organizations is the dangers of insecure or end-of-life devices on their networks. When end-of-life equipment is used in critical environments, this can provide low-hanging fruit opportunities for attackers. Organizations, therefore, must take steps to secure them or update them.”

James McQuiggan, security awareness advocate at KnowBe4, agreed: "These older technologies often lack the latest security features, making them available for attack. The struggle between financial and operational costs versus the need to upgrade end-of-life systems versus the price of a data breach should be a no-brainer. Still, the focus is mainly on the here and now rather than maintaining a strong cybersecurity posture.”

His colleague, Roger Grimes, data-driven defense evangelist at KnowBe4, insisted that although “exploiting firmware is easier than exploiting software, […] updating the firmware is inherently even harder than updating software.”

Firmware security should, therefore, be a top priority for manufacturers, according to Grimes.

US Critical Infrastructure Volt Typhoon’s Main Target

Infecting the routers with the KV Botnet allowed the Chinese hackers to avoid detection in order to conduct further hacking activities directed against US and other foreign victims.

These activities included a campaign targeting critical infrastructure organizations in the US and elsewhere that was the subject of a May 2023 joint advisory by the FBI, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA) and foreign partners.

The same activity has been the subject of private-sector partner advisories in May and December 2023 from Microsoft and Lumen, respectively.

CISA released a companion secure-by-design alert alongside the DoJ announcement on January 31.

The US Deputy Attorney General Lisa O. Monaco commented: “In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real-time.”

Read more: China Poised to Disrupt US Critical Infrastructure with Cyber-Attacks, Microsoft Warns

Who is behind Volt Typhoon?

Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, Vanguard Panda and APT41, is a cyberespionage group linked to the Chinese government.

Although concrete evidence is scarce, Volt Typhoon is widely suspected to be affiliated with China's Ministry of State Security (MSS). This link is based on the group’s targeting patterns, techniques, and the level of sophistication employed in their operations.

They've been actively involved in malicious campaigns targeting critical infrastructure, primarily in the US, since at least mid-2021.

Volt Typhoon often utilizes living-off-the-land techniques, leveraging legitimate system tools for malicious purposes.

Their most recent campaigns targeted organizations in communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

In Microsoft’s May 2023 report, the tech giant assessed that Volt Typhoon’s campaigns pursued developing capabilities that could disrupt critical communications infrastructure between the US and Asia region during future crises.  

According to John Hultquist, Mandiant director at Google Cloud, Volt Typhoon’s KV Botnet is consistent with previously observed techniques, tactics and procedures (TTPs) employed by nation-state threat actors.

"At this time, we haven't observed the actors manipulate operational technology (OT). Their goal appears to persist on these networks until they are given the order to disrupt systems. We have learned from several Russian incidents that there are a variety of ways to bring down operational technology, ranging from careful manipulation to wiper attacks,” Hultquist commented.

“These incidents appear to have a focus on critical infrastructure that supports US forces. Defenders will have to work hard to detect this actor's techniques, which are very focused on staying under the radar."

FBI Director Christopher Wray commented: “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the People’s Republic of China (PRC) hard and early whenever we see them threaten Americans.”

Credit: Shutterstock/Gdisalvo
Credit: Shutterstock/Gdisalvo

DoJ Reassures Public on Router Disconnection Operation

In its announcement, the DoJ insisted that the government operation was conducted with extra care for the safety and privacy of the routers' original owners.

“The operation did not impact the legitimate functions of, or collect content information from, hacked routers,” the DoJ insisted.

“Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.”

The FBI has contacted all the owners whose contact information was available. For other owners, the Bureau contacted vendors or internet service providers (ISPs), asking them to notify the victims.

Public-private cooperation had been crucial to the success of the overall operation, Monaco said.

Barrier Networks’ McGowan shared with Infosecurity how impressed he was by the scale of the operation.

“This latest announcement from the FBI reinforces the powerful tools the US has at its disposal to disrupt cybercrime activity,” he said.

“Through a court order, the FBI gained access to the compromised routers, deleting the malware which had been used to recruit them into a botnet. This would have been a huge operation, and it reinforces the country’s determination to fight back on nation-state adversaries.”

What’s hot on Infosecurity Magazine?